Are you a member of CheckMates?
×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Hi!
I have several sites with an R81.10 cluster (active/standby), two switches and two ISP routers.
These routers are configured with HSRP.
When the ISP router sends packets, the source MAC is always the router MAC.
When the firewall is sending traffic to the internet, the HSRP MAC of the ISP router is used as a destination.
Exception: when the firewall is sending ESP packets with protocol "UDP (17)" (looks like the actual VPN data packets for Site2Site and Client2Site connections), then the MAC of the actual router is used as a destination.
Is this an expected behaviour or can it be influenced?
The issue with this is: In case of a router failure, the traffic will be send to a dead MAC.
And as we also have a site with ISP load-sharing, the traffic might be sent directly to the secondary router. If then the switch in the path is restarted, the VPN tunnels also suffer.
Thanks in advance for some insights!
EDIT: Through the support portal I now found this vpn r80.20 vsx - Check Point CheckMates, looks quite similar. Will look at it tomorrow, it didn´t come up in the Community website search.
